Replies: 2 comments
-
|
We're looking into this |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
In our development environment we run with CORS wide open, but when I create a more restrictive policy with the following headers, everything seems to be accessible: |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I’m deploying CSET Enterprise on IIS and running into repeated CORS issues. The Angular frontend is making cross-origin calls to the .NET API, and the preflight requests are failing because the IIS server is missing some custom headers.
So far I’ve seen the need to allow these headers:
content-type authorization x-requested-with x-xsrf-token pwd username assessmentidI can copy them one-by-one from the browser’s
Access-Control-Request-Headers, but this feels like a game of whack-a-mole.My questions:
Is there an authoritative list of the custom headers the Angular client for CSET Enterprise will send?
Are there best practices recommended by the CSET team (or community) for managing this in IIS?
Should we expect the header set to change across versions, or is it stable enough to hard-code into
<allowHeaders>?Any official guidance or examples would be very helpful.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions